content copied
content
Start
CreateRestorePoint:
CloseProcesses:
Task: {D84DCAAE-10EF-47B0-BE6F-255AA685AAC4} - System32\Tasks\cdlTENH65d3ujDZ6 => C:\ProgramData\vnklil6O7RwqOAE9\5iCYJL07bXPAsqF.exe [1756672 2026-04-11] () [File not signed]
Task: {C5602807-1A74-48AD-B7AB-262097D76D8A} - System32\Tasks\VxKhKFyFucEW0f0 => C:\ProgramData\3ifmf96w9N0mdVKs\0iVNnDXTBSBEjYfc.exe [1789440 2026-05-22] () [File not signed]
2026-05-22 11:00 - 2026-05-22 11:00 - 000003352 _____ C:\Windows\system32\Tasks\VxKhKFyFucEW0f0
2026-05-22 11:00 - 2026-05-22 11:00 - 000000000 __SHD C:\ProgramData\3ifmf96w9N0mdVKs
C:\ProgramData\vnklil6O7RwqOAE9
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Edge HKLM-x32\...\Edge\Extension: [fdhgeoginicibhagdmblfikbgbkahibd]
C:\Users\vince\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fheoggkfdfchfphceeifdbepaooicaho
C:\Users\vince\AppData\Local\Google\Chrome\User Data\Profile 11\Extensions\fheoggkfdfchfphceeifdbepaooicaho
C:\Users\vince\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\fheoggkfdfchfphceeifdbepaooicaho
C:\Users\vince\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fheoggkfdfchfphceeifdbepaooicaho
C:\Users\vince\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\fheoggkfdfchfphceeifdbepaooicaho
C:\Users\vince\AppData\Local\Google\Chrome\User Data\Profile 7\Extensions\aegnopegbbhjeeiganiajffnalhlkkjb
C:\Users\vince\AppData\Local\Google\Chrome\User Data\Profile 7\Extensions\fheoggkfdfchfphceeifdbepaooicaho
C:\Users\vince\AppData\Local\Google\Chrome\User Data\Profile 8\Extensions\fheoggkfdfchfphceeifdbepaooicaho
CHR HKLM-x32\...\Chrome\Extension: [aegnopegbbhjeeiganiajffnalhlkkjb]
R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [999552 2026-06-04] (McAfee, LLC -> McAfee, LLC)
C:\Program Files\McAfee
2026-06-05 10:28 - 2025-09-19 00:51 - 000000000 ____D C:\Users\vince\AppData\Roaming\RenPy
IE trusted site: HKU\S-1-5-21-906904331-1790331761-2417870006-1001\...\webcompanion.com -> hxxp://webcompanion.com
HKU\S-1-5-21-906904331-1790331761-2417870006-1001\...\Run: [Viewndow] => C:\Users\vince\AppData\Local\Programs\Viewndow\Viewndow.exe (No File)
HKU\S-1-5-21-906904331-1790331761-2417870006-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize (No File) <==== ATTENTION
HKU\S-1-5-21-906904331-1790331761-2417870006-1001\...\Run: [Windscribe] => "C:\Program Files\Windscribe\Windscribe.exe" -os_restart (No File)
HKU\S-1-5-21-906904331-1790331761-2417870006-1001\...\Run: [EPSDNMON] => "" (No File)
Task: {307CC2B5-803A-487F-8BC9-FD39DF8D5DB1} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => %ProgramFiles%\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe (No File)
S3 AAErrorPort; C:\Users\vince\AppData\Local\Temp\ActiveAnticheat\1223911\aaerrport.exe (No File) <==== ATTENTION
S2 AtomService; "C:\Program Files (x86)\Ivacy\Atom\AtomService\Atom.SDK.WindowsService.exe" (No File)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys (No File)
S3 NEProtect; \??\D:\SteamLibrary\steamapps\common\Once Human\NEProtect.sys (No File)
S3 PRProt; \??\C:\Users\vince\AppData\Local\Temp\ActiveAnticheat\1223911\active64.sys (No File) <==== ATTENTION
S3 rsDwf; \SystemRoot\system32\DRIVERS\rsDwf.sys (No File)
S3 SDGame32; \??\D:\DragonNest\GPK\SDGame32.sys (No File)
2026-02-06 22:09 - 2026-02-06 22:09 - 000000048 ____R () C:\Users\vince\AppData\Local\0275D6D49A6B65B90B6C70694D30BFBA
CustomCLSID: HKU\S-1-5-21-906904331-1790331761-2417870006-1001_Classes\CLSID\{6b25e24d-0bcc-9858-ca99-06ec62a33de2}\localserver32 -> "D:\New folder (4)\LegendOfYmirG\launcher\LegendOfYmirGLauncher.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-906904331-1790331761-2417870006-1001_Classes\CLSID\{a04f95c0-6183-7419-2316-954e331d0cbc}\localserver32 -> "C:\Program Files\Proton\VPN\v3.2.2\ProtonVPN.exe" -ToastActivated => No File
AlternateDataStreams: C:\Windows\tracing:? [16]
AlternateDataStreams: C:\ProgramData\mntemp:8EAD8B3507 [2594]
AlternateDataStreams: C:\ProgramData\Pie64_5.12.105.1006.exe.tmp:67C8574FC9 [2594]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [2594]
AlternateDataStreams: C:\Users\vince\Application Data:48e63d4de0a63256000858a7c61c87df [394]
AlternateDataStreams: C:\Users\vince\Application Data:4fdeb2f3efa815e98db192c0991d2fdf [394]
AlternateDataStreams: C:\Users\vince\Application Data:7230fefd864f35e6569012bef46d88ae [394]
AlternateDataStreams: C:\Users\vince\Application Data:78298b70318d60fb47fc7a177d14ce85 [394]
AlternateDataStreams: C:\Users\vince\Application Data:84bc1c93d310d534abe6b7c11e3cef0d [394]
AlternateDataStreams: C:\Users\vince\Application Data:86eed5e9ae33ac37f945eeb43141b1b4 [394]
AlternateDataStreams: C:\Users\vince\Application Data:9ed6e01d16b43ed60035852898458827 [394]
AlternateDataStreams: C:\Users\vince\AppData\Roaming:48e63d4de0a63256000858a7c61c87df [394]
AlternateDataStreams: C:\Users\vince\AppData\Roaming:4fdeb2f3efa815e98db192c0991d2fdf [394]
AlternateDataStreams: C:\Users\vince\AppData\Roaming:7230fefd864f35e6569012bef46d88ae [394]
AlternateDataStreams: C:\Users\vince\AppData\Roaming:78298b70318d60fb47fc7a177d14ce85 [394]
AlternateDataStreams: C:\Users\vince\AppData\Roaming:84bc1c93d310d534abe6b7c11e3cef0d [394]
AlternateDataStreams: C:\Users\vince\AppData\Roaming:86eed5e9ae33ac37f945eeb43141b1b4 [394]
AlternateDataStreams: C:\Users\vince\AppData\Roaming:9ed6e01d16b43ed60035852898458827 [394]
AlternateDataStreams: C:\Users\vince\AppData\Local\Temp:$DATA [16]
FirewallRules: [TCP Query User{15D42E36-4734-4F0A-B8AE-CA9FD16FFD77}D:\new folder (5)\starlauncher\extra\aria2\aria2c.exe] => (Allow) D:\new folder (5)\starlauncher\extra\aria2\aria2c.exe => No File
FirewallRules: [UDP Query User{AE448CF9-EAE5-417C-A7C1-777DCCF2234D}D:\new folder (5)\starlauncher\extra\aria2\aria2c.exe] => (Allow) D:\new folder (5)\starlauncher\extra\aria2\aria2c.exe => No File
FirewallRules: [{3B1446A1-E205-4E26-AC14-9A5087230582}] => (Allow) D:\DragonNest\dragonnest_x64.exe => No File
FirewallRules: [{28DA23A9-EA4A-46ED-8021-DDEFC83F306F}] => (Allow) D:\DragonNest\dragonnest_x64.exe => No File
FirewallRules: [{1763DF54-425E-45CA-AF89-BE67F6C663B6}] => (Allow) D:\DragonNest\Reborn\dragonnest_reborn.exe => No File
FirewallRules: [{6DE4C8D2-04AC-4147-9FCE-9A4A08F4C7E9}] => (Allow) D:\DragonNest\Reborn\dragonnest_reborn.exe => No File
FirewallRules: [{9BBDC4FB-99B1-45E8-A0F9-4C1AA2F8FBB2}] => (Allow) D:\New folder (3)\Purple\2.25.114.18\cefsharp.browsersubprocess.exe => No File
FirewallRules: [{9CCF9637-F735-4AC7-81DC-2AEC1E372BD2}] => (Allow) D:\New folder (4)\Purple\yeti\yeti_v2.1.583.2601_global\purpleon.exe => No File
FirewallRules: [{4BE7A470-F18B-4E79-B1A4-0F46603B8F47}] => (Allow) D:\New folder (4)\Purple\purple-box\PurpleBox.exe => No File
FirewallRules: [{B0CAF7F3-214F-40C1-9A59-C9563727F5BB}] => (Allow) D:\New folder (4)\Purple\2.26.209.1\cefsharp.browsersubprocess.exe => No File
FirewallRules: [TCP Query User{3F784946-F6BC-4EEC-8A9A-F6BF15619859}D:\new folder (6)\cabal online (na - global)\launcher\launcher.exe] => (Allow) D:\new folder (6)\cabal online (na - global)\launcher\launcher.exe => No File
FirewallRules: [UDP Query User{5CF4C892-C6D8-4AEB-BC8C-C3ED10CE055D}D:\new folder (6)\cabal online (na - global)\launcher\launcher.exe] => (Allow) D:\new folder (6)\cabal online (na - global)\launcher\launcher.exe => No File
FirewallRules: [TCP Query User{1CC3B62D-F384-4AFD-9C19-2157BAE170EA}C:\users\vince\cabal online (na - global)\launcher\launcher.exe] => (Allow) C:\users\vince\cabal online (na - global)\launcher\launcher.exe => No File
FirewallRules: [UDP Query User{21C7E4B2-70DA-41B4-8BF5-3A5B7E50AA45}C:\users\vince\cabal online (na - global)\launcher\launcher.exe] => (Allow) C:\users\vince\cabal online (na - global)\launcher\launcher.exe => No File
FirewallRules: [TCP Query User{3EAC134D-277A-48E8-A890-092FE4847B74}C:\program files (x86)\cabal online (na - global)\launcher\launcher.exe] => (Allow) C:\program files (x86)\cabal online (na - global)\launcher\launcher.exe => No File
FirewallRules: [UDP Query User{6F671437-B67A-4804-A88A-F8D27F18929C}C:\program files (x86)\cabal online (na - global)\launcher\launcher.exe] => (Allow) C:\program files (x86)\cabal online (na - global)\launcher\launcher.exe => No File
FirewallRules: [TCP Query User{BC726FA2-4DBE-49FD-8F99-304B3A3D6284}D:\games\towerborne\belfry\binaries\win64\belfry-win64-shipping.exe] => (Allow) D:\games\towerborne\belfry\binaries\win64\belfry-win64-shipping.exe => No File
FirewallRules: [UDP Query User{762F873E-D927-4811-96F0-B60C8237DCA1}D:\games\towerborne\belfry\binaries\win64\belfry-win64-shipping.exe] => (Allow) D:\games\towerborne\belfry\binaries\win64\belfry-win64-shipping.exe => No File
FirewallRules: [TCP Query User{5CD414F5-3942-4A93-88F5-8E735CCB1FC8}D:\joymaker\joymakergame\games\roocalive\exe\rooc.exe] => (Allow) D:\joymaker\joymakergame\games\roocalive\exe\rooc.exe => No File
FirewallRules: [UDP Query User{E456DBE9-8DAE-4CB2-81D0-A39D2F725F72}D:\joymaker\joymakergame\games\roocalive\exe\rooc.exe] => (Allow) D:\joymaker\joymakergame\games\roocalive\exe\rooc.exe => No File
FirewallRules: [TCP Query User{3B1AE353-CE5E-4537-BEF5-D07358584513}C:\new folder (2)\joymakergame\games\roocalive\exe\rooc.exe] => (Allow) C:\new folder (2)\joymakergame\games\roocalive\exe\rooc.exe => No File
FirewallRules: [UDP Query User{28BB27A4-F606-483C-B10A-04F0B5FA41FC}C:\new folder (2)\joymakergame\games\roocalive\exe\rooc.exe] => (Allow) C:\new folder (2)\joymakergame\games\roocalive\exe\rooc.exe => No File
FirewallRules: [{23E0A938-69FD-4C92-885E-53FDB8EF23D0}] => (Allow) C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe => No File
FirewallRules: [{D0E6C2EF-9911-4BB3-A3E6-1CDE7BCA82D8}] => (Allow) C:\Program Files (x86)\BlueStacks X\Cloud Game.exe => No File
FirewallRules: [{42874C76-59DC-4285-ABDE-1DA9396920E2}] => (Allow) C:\Program Files\BlueStacks_nxt\HD-Player.exe => No File
FirewallRules: [{9FFBF4E2-F6FF-4DE4-8F5F-6C9D61D11160}] => (Allow) C:\Program Files\BlueStacks_nxt\BlueStacksAppplayerWeb.exe => No File
2026-06-06 10:02 - 2026-06-06 10:02 - 002646016 _____ (Farbar) C:\Users\vince\Downloads\Unconfirmed 513670.crdownload
Folder: C:\Temp
Folder: C:\Program Files (x86)\Microsoft Research
File: C:\Users\vince\AppData\Roaming\toolcomponent.dll;C:\Program Files (x86)\Microsoft Research\NSEC\NShellExt64.dll
C:\Windows\Installer\660a598.msi
Comment: This snippet removes all Windows Defender exclusions
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths
StartPowershell:
Try {
$Paths=(Get-MpPreference).ExclusionPath
$Extensions=(Get-MpPreference).ExclusionExtension
$Processes=(Get-MpPreference).ExclusionProcess
foreach ($Path in $Paths) {
Remove-MpPreference -ExclusionPath $Path -force -ErrorAction Stop
}
foreach ($Extension in $Extensions) {
Remove-MpPreference -ExclusionExtension $Extension -force -ErrorAction Stop
}
foreach ($Process in $Processes) {
Remove-MpPreference -ExclusionProcess $Process -force -ErrorAction Stop
}
}
Catch {
Write-Error "Error occurred while removing Windows Defender exclusions: $_"
}
EndPowershell:
Powershell: Get-ScheduledTask | select -first 30 | Get-ScheduledTaskInfo
Powershell: @("$env:APPDATA","$env:LOCALAPPDATA") | ForEach-Object { Get-ChildItem $_ -Recurse -Filter "index.js" -ErrorAction SilentlyContinue } | Where-Object { $_.FullName -match "discord_desktop_core" } | ForEach-Object { Write-Host "--- $($_.FullName) ---"; (Get-Content $_.FullName -Raw).Substring(0,[Math]::Min(2000,(Get-Content $_.FullName -Raw).Length)) }
Powershell: (Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -ErrorAction SilentlyContinue).PSObject.Properties | Where-Object { $_.Name -match "^[a-z]$" } | ForEach-Object { Write-Host "$($_.Name): $($_.Value)" }
C:\WINDOWS\Temp\*
C:\WINDOWS\SystemTemp\*
C:\Users\vince\AppData\Local\Temp\*
StartPowerShell:
# Downloads newest AdwCleaner version directly from Malwarebytes, performs an update, scans, cleans and writes the log in console
# Does not clean preinstalled objects, only PUP/Adware
# If you would like to delete preinstalled objects, add an argument /preinstalled to the /clean argument
# If you would like to only scan with it, change the argument from /clean to /scan
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\AdwCleaner" | Out-Null
Invoke-WebRequest -Uri "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" -OutFile "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/eula" -Wait -WindowStyle Hidden
$logFile = "$env:SystemDrive\AdwCleaner\AdwCleanerOutputFRST.txt"
Start-Process -FilePath "$env:SystemDrive\AdwCleaner\AdwCleanerFRST.exe" -ArgumentList "/noreboot /clean" -Wait -WindowStyle Hidden -RedirectStandardOutput $logFile
Get-Content $logFile -Encoding Unicode
Remove-Item -Path $logFile -Force -ErrorAction SilentlyContinue
EndPowerShell:
StartPowershell:
# Replace /scanonly with /clean if you also want to delete items -- however, this will activate a trial license on the system, I do not recommend it
$hmpExe = "$env:TEMP\HitmanPro_x64.exe"
$logFile = "$env:TEMP\HitmanPro_ScanLog.txt"
Invoke-WebRequest -Uri "https://dl.surfright.nl/HitmanPro_x64.exe" -OutFile $hmpExe -UseBasicParsing
$proc = Start-Process $hmpExe -ArgumentList "/ews","/scanonly","/noinstall","/log=`"$logFile`"","/logtype=txt" -Wait -PassThru
if (!(Test-Path $logFile)) { Write-Host "Scan failed (exit $($proc.ExitCode))"; exit 1 }
Get-Content $logFile -Encoding Unicode
EndPowershell:
StartPowerShell:
# This snippet downloads Emsisoft Emergency Kit (EEK) from the Emsisoft's official site, updates it, scans with it.
# Do note that the executable is 300MB and may take some time to download.
# ---
# This will scan for malware and PUP's in 1) system memory 2) important folders as documentation says
# It will scan in compressed archives, in mail archives, in NTFS alternate data streams and use cloud requests
# ---
# You can use argument "/delete" to delete found objects including references but this is permanent and irreversible.
# You can remove the "/quick" argument to do a full scan but that may take longer than what FRST can handle.
# You can use argument "/quarantine="[folder]"" to put found malware into quarantine, but I personally prefer first verifying the detections.
$downloadUrl = "https://dl.emsisoft.com/EmsisoftEmergencyKit.exe"
$systemDrive = $env:SystemDrive
$frstPath = "$systemDrive\FRST"
$savePath = "$frstPath\EEK.exe"
$extractPath = "$frstPath\EEK"
if (-not (Test-Path $frstPath)) {
New-Item -Path $frstPath -ItemType Directory -Force | Out-Null
}
if (-not (Test-Path $extractPath)) {
New-Item -Path $extractPath -ItemType Directory -Force | Out-Null
}
Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath -UseBasicParsing
$proc = Start-Process -FilePath $savePath -ArgumentList "-s -d`"$extractPath`"" -PassThru
while (-not (Test-Path "$extractPath\bin64\a2cmd.exe")) { Start-Sleep -Milliseconds 1000 }
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
if ([Environment]::Is64BitOperatingSystem) {
$a2cmdPath = Join-Path $extractPath "bin64\a2cmd.exe"
} else {
$a2cmdPath = Join-Path $extractPath "bin32\a2cmd.exe"
}
Start-Process -FilePath $a2cmdPath -ArgumentList "/update" -Wait -NoNewWindow
Start-Process -FilePath $a2cmdPath -ArgumentList "/malware /quick /m /t /pup /a /am /cloud=1 /la=`"$frstPath\EEK_scan.log`"" -Wait -NoNewWindow
Get-Content "$frstPath\EEK_scan.log"
exit
EndPowerShell:
cmd: del %temp%\*.* /f /s /q
cmd: rd /s /q %temp%
cmd: bitsadmin /reset /allusers
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
End
Warning
Executing a Fixlist on the wrong system may permanently damage it. Continue only if this link was meant for you.
To view the content, acknowledge this warning.